Posted
by
Soulskillon Saturday January 22, 2011 @06:36PM
from the with-your-switch-or-on-it dept.

coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."

Self defense would imply that the retaliation would stop the attack. It fairly obviously wouldn't, because it doesn't incapacitate the attackers. No matter what you do to the attacker's computer, at worst he just has to format it and start over, and if the attacker isn't an idiot he has backups. Which means you bought maybe a couple hours before you're back to square one. Maybe a couple days or a week if you disable a botnet. But now now the attacker (who may very well be better at this than you and have le

So your solution is "Kill them"? There really is no such thing as secure anymore. Devices and software can be(and are) hacked within days of their release or implementation. Sufficiently secure? If someone wants in, you're fighting an uphill battle keeping them out.

You don't have to be faster than the bear, you only have to be faster than the whoever you're standing next to.

1. Attack your target.
2. Wait for counterattack.
3. Deny 1, or claim it was an attack launched by compromised computers without your knowledge.
4. Sue your target for the costs of their counterattack.

Exactly my thought; I don't want rogue corporate types or the government trying to figure out who's do the attacking and retaliating. They need to beef up their own security and use the current legal system to subvert "cyber attacks".

Plus, given how the US govt and probably US corporations wants to treat wikileaks as a terrorist org, I can imagine big corp/govt "retaliation" being a literal Trojan Horse [SWAT team!] instead of code.

The problem with conventional response is that of geography. When your opponent is some script kiddie or amateur hacker, it's all very well - you go to court, get a warrant, trace his IP through the ISP logs, and file charges. But if the attacker is an organised criminal group, the attack will be coming from a computer in Outer Elbonia, where the local police couldn't care less about your paperwork, and the ISP doesn't care that the connection is registered under a false name. There are even ISPs that specialise in hosting scams and malware - usually in Russia or somewhere similar. It can take weeks to go through legal channels, and during those weeks the attacks (Or malware host) keep on running.

The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.

The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.

And I regard the price as acceptable so far. We take a few knocks and we keep on going. I'd rather that than lock ourselves in some little cell of monitored and controlled connections for the sake of supposed protection. A prison will protect you from a lot of the dangers of outside life, but you still don't want to make your life a prison.

Have you ever _tried_ to get a warrant against a script kiddie? The last time I tried, the police and the ISP from where the script kiddie was acting both passed it along to FBI, who did _nothing_. Actually getting a prosecution basically involves educating them in how things work, even wuth the much vaunted FBI computer crime teams.

It helps if you've got some political connections. If you are someone like, for example, Sarah Palin then it's easy to make sure any wannabe-hacker who guesses your password gets to spend a few years in jail. It's just as with any other crime, really: How much the police care about catching the criminal is directly related to the wealth and influence of the victim.

...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

Yeah a counter attack only makes sense if you can stop future attacks. A legal attack may put the guy in jail. But DOSing his home PC isn't going to accomplish anything for you so its a waste of effort.

Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.

If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

If you leave your car unlocked and someone takes the opportunity to change the locks on your car so they can steal it again any day they like (while still letting you drive it--somehow), that's an attack. Doubly so if they use your car to perform illegal activities, then return it before you notice.

Same if you leave your ATM card somewhere, and they not only siphon cash, but do social engineering attacks to get the bank to disclose details that will, for instance, let them obtain a credit card in your name

The legal word you are looking for for threats against one's person or safety is "assault". The legal word for laying hands on someone else against their wil and without other justifiable cause is "battery". The word "attack" has _never_ had the kind of "purely physical attack" definition you claim. The ambiguity is in your limited definition of the world: I can see where that would be confusing.

...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

I disagree. The use of the word "attack" is perfectly suited. Espionage involves attacks. Politics involves attacks. You can attack a problem, attack a mountain (climbing in mind but that could imply more than one form of 'attack'), attack a movie you found worthy of strong criticism, or attack an idea. An attack is nothing more than an aggressive action who's implication is highly dependent on the situation and context of the use of the word.

The base problem is looking at this as warfare. In the context of war, an attack has very specific connotations. That form of attack and the concept of war lead us in to the wrong mind-set for the reality of the situation. This is where trickery, spying, and sabotage comes in. This is simply a new set of tools for espionage. And while this does open a new way of looking at things beyond the old Cold War era, namely actors that may not be directly associated with a State, a lot of the traditional concepts and general nature of the behavior apply well to the exploitation of this new environment and tool sets.

That's an interesting point and raises the issue of how we're framing the incident of an "attack". By calling it an attack, we're attempting to justify retaliation. As to the best response, I'd say diverting the attack and logging the method of attack makes more sense. As data is collected about attacks, their sources, methods and frequency become the basis for standard operating procedure rather than the news.

By reducing their effect with black hole strategies rather than retaliation, we reduce the c

Is the attack scenario one bad guy?Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

Is the attack scenario that you are an big company and people attack you because you are known?Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.

I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.

this does bring up an interesting question in the whole debate about corporate personhood. Obviously corporations have a right to some sort of self-defense: protection from libel and slander, and protection from sabotage. And of course protecting their employees. (Despite anti-corporatist bias, most corporations really could do without someone waltzing into the secretarial pool and shooting up the place.) But what are the boundaries that corporations should have in exercising self-defense?

The question is more are you actually going to retaliate against the attacker or is it like "Let's send some rockets back into that city, because that's where they came from." Anyone launching an attack directly from their own computer is a total amateur, chances are great it'll be some unsuspecting third party's machines and networks that'll be your battle ground. And I very much doubt they care who started it, they're likely to go after everyone that's been hacking their systems when they first find out. If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.

Your analogy is you go on vacation and, in your absence, a gangwar erupted in your apartment? Then you come back and see the damage. Respond with "Alright motherfuckers, I dont give a shit who started it." Then presumably go on to kick some ass. Sounds pretty awesome.

I guess the issue is does the attacker need to meet the knowingly standard. Most attacks don't use spoofed address because from most places that is incredibly hard to make work. So typically the person running the attack will use a proxy or two and for DDOS like stuff a bot net. In general the machine the packets are coming from is an attacker, regardless of its owner's awareness.

I don't think its wrong to go blasting bot net nodes off the internet if they are causing you grief and you can identify them.

It is worse than that.
One of 500,000,000 threads on the Intertubes.
void CyberAttackInit(char *Target){
bool Attacked;
if (httpTraffic>1000){Attacked=TRUE;}
if (Attacked==TRUE){attackAllAttackers();}
}
I would guess that it would go from one attack or mistake to a deadlock in nanoseconds. It wouldn't end until somebody burned up or hit a bandwidth limit. One person could set off the entire internet in a single prompt critical. We should really create more situations like this that can be memorialized l

Sweet. So if the Cyberattack function exists, it must be called. An weapon unused is a useless weapon and all that.... On the other hand, such an argument tends to be an argument of the lazy (binding).

But I am curious about about the machines that are responsible for a lot of attacks online.
A year or so ago I noticed ssh brute force attempts in/var/log/secure and found a cool solution called denyhosts [sourceforge.net] that parses log files, adjusts/etc/hosts.deny, and logs all activity.
This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.

I hope you included something which turned that off if it added more than a certain number of hosts in a short time.otherwise it makes for an easy DOS, spoof packets and watch as your server blocks the whole net.

something which imposes a temporary block and can only block a limited number of IP's at a time would be good for preventing casual and script kiddie attacks though.

DenyHosts includes a PURGE_DENY option which allows you to specify how long blocks are kept for.

Spoofing shouldn't be an issue here. We're not talking about logging SYN packets but failed login attempts. An attacker can't perform those without being able to get packets back from the server and they can't do that if they are spoofing their address. Unless perhaps they are plugged into the same hub as the server but if that's the case you've likely got bigger problems to worry about.

1) Collect as much info as you can about the source of the attack.
2) Send an email to the abuse address on record.
3) Harden system some more.
4) Wait for some sort of response.
5) Publish the source IP, whatever response is received in the email response, and AS info (i.e. netblock) along with the details of the attack.
6) Block all future traffic from the AS.

6) Too crude, how will AS people know why they have been blocked if they are blocked? Blocking whole AS might kill somebody or sombodies!
Maybe:
5.3) Block only offending addresses only from attack target with expiration time.
5.4) Contact AS operators by other means if they don't respond to email.
5.5) Require AS operators to have SIP phones, live chat and a contact person/s, or some why to know your email hasn't gone into a black hole.
5.6) If addresses proceed to attack other target

If everyone clicked the link in those "work from home" scams 100 times, or replied to every "your webmail account is about expire" email with bogus details then it would drown the enemy in useless information.

If you then take it a step further and have an automated system that clicks links a million times automatically and replies to the emails with bogus information a million times then it would be even better.

Until someone gets the idea to send out a "I made a billion $$$ working from home. Click http://w [kernel.org]

At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:

1. Pressing the district attorney to prosecute the employees and management2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties4. Suing the corporation

Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.

Sigh, bad summary and over-hyped news strikes again.If you read the article, you will see that the actual Black Hat speakers do not suggest a revenge cyber attack. And the article itself, doesn't actually talk about using real cyber attacks.

They talk about stuff like using "tarpits" to get exploit tools and botnets stuck in loops to slow them down (like CAPTCHAs or locking out login attempts), feeding fake information to cyber attackers (like honeypots).Of course, the article uses wording that implies an a

There's an even worse scenario, in that spoofing could allow an attacker to fake being a different origin. For bonus points, launch a nonsense attack that ties up your biggest competitors in an information/legal war...

I think everyone who has ever done information security from the defence side has had this thought cross their head. Like "Why don't we write a virus that patches Windows?", it turns up every now and then. It's very very illegal (can you imagine trying to persuade the US & China to provide

One of the other posters responded that TFA was of course really not about revenge attacks, but more about tying up the attackers in mire. I really support that. For example, look up the La Brea honey pot. It's a digital tarpit for autonomous malware. It's pretty cool, and completely legal.

...if all of the above fail to produce the desired effect, then why not counterattack in such a way that none of the above can be applied against you? By your failure in using the above procedures, you've got clear evidence that it is possible to attack and get away with it...

Until you as a manager discover you have one or more subordinates who either 1) don't like you personally, or 2) don't like doing illegal things. Decision maker: meet the prison system.

In the US, and in the sorts of theoretically-rule-of-law-y jurisdictions that corporations generally have substantial operations and assets in, most flavors of "cyberattack" are de jure Pretty. Seriously. Not. Legal.

This does approximately jack shit against gangs operating offshore in who-knows-where controlling botnets of enslaved Joe User XP home boxes; but it is the state of the law. Now, let's think about this for a second: Any "cyber-counterattack", unless unbelievably flawless, is probably going to have some amount of collateral damage: ISPs getting parts of their networks DDOSed, innocent-if-clueless home users getting their botnetted boxes taken down, etc. Even the direct damage will be illegal(though criminal gangs probably won't press charges); but the collateral damage will, in not a few cases, fall directly on people and businesses, in western jurisdictions, who had nothing to do with the original attack(other than, perhaps, not updating their AV often enough).

Now, when it comes to light that Foocorp LLC, a division of Deeppockets Industries, and their officers and employees have been guilty of numerous violations of federal cybercrime violations, most felonies, and a variety of civilly actionable property damage, where do you think the lawyers are going to go looking for blood? Yuri Shadymov and John Does 1-N, the mysterious perpetrators of the attack on Foocorp, or the conveniently-located-right-at-home Deeppockets Industries?

There would be a nonzero risk(and they would deserve every bit of it) that Deeppockets industries could find itself up to its eyeballs in civil suits, and the Foocorp IT team and every exec who knew of and authorized their actions could be looking at serious fines and some quality time in FPMITA...

Worse, it's pretty easy to pin an obvious or even not-so-obvious cyberattack on someone else. If vigilante "cyber justice" is acceptable, then an efficient way of performing your cyber attack is simply to attack a third-party target and make it look like your real target did it.

The other issue, with electronic attacks specifically, is that effective "self defense" would require absurdly broad authorization.

In physical terms, you have states like Texas, where shooting trespassers is largely legal, and states like Massachusetts where you pretty much have to have run out of other options before you can use lethal force in self defense. When it comes to electronic attacks, everybody already enjoys greater-than-Texas level of self-defense capability. I can tell my routers and switch

Naturally, although many cyber attacks right now are done through botnets or are made to look as if they were done by an anonymous, meaningless entity, rather than intentionally placing evidence that leads you to believe it's from a particular third party.

The short version is that vigilante justice is particularly bad for cyber attacks because attribution is particularly difficult.

They would never be certain to get the right target and cannot guarantee that innocent bystanders won't get caught in the crossfire. That may be acceptable in the silly plots of TV dramas, but in real life there are consequences.

So, the summary is misleading.The actual article (starts out) talking about using vulnerabilities in botnets and "attack" tools, and an idea called a "tarpit" that would attempt to tie up resources on botnets and "attack" tools.Not much of a new idea, as people are already doing things like this: Locking out login attempts, delaying login, or CAPTCHAs are a simple example of "tarpits". Reverse engineering malicious programs is already being done. Honeypots, etc."Revenge assault" seems to be strong wordin

For the attacks I heard about it was often not clear who was behind them. As for many viruses, it was unknown where Stuxnet came from. It is mostly unknown who is controlling the botnets behind DoS attacks. If someone steals data he will either use TOR, or an open hotspot.

We need to establish corporate extraterritoriality before anyone exept the government can start to mount turreted autocannons in their lobbies/Black ICE in the networks/kink bombs in the implants of all employees and family members below B-grade. Or at least, that's the story that anyone below grade Ultraviolet/AAA gets fed. But boy, will those AAA bastards be up for a surprise when the second stage of Dunkelzahn's Cyberzombie-Jesus-plot finally comes into action at the product lifecycle end of Shadowrun 4e

Given the ease of hiding the origin of your attack (tried tracking spam?) you've got the problem of the hackers doing false flag attacks on you in order to trick you into attacking the real target of the hackers. The only way to actually stop attacks is to track them down and arrest them. No other plan will ensure the attacks permanently stop. On the other hand, having the RIAA attack MPAA in a full scale cyberwar would be kindof cool.

Why would anyone imagine that the same outcome would not apply in cyberspace? I DDOS you, you DDOS me. We get our friends to DDOS our enemies. You deface me, I deface you. Sounds like a whole lot of wasted bandwidth. I'd rather see folks invest in anti-spoofing at the network edge, implement better auth methods, and review content for vulnerabilities before they publish. Sheesh.

Do you really want CORPORATES have that power? Please. These guys don't even have the common sense to break the boom-bust cycles. It's like giving a knife to a child incapable of learning from experience.
So Company A attacks Hacker B. Only it turns out that the attack went awry and Hacker B is actually a rival corporate giant. So Rival Corporate giant attacks, which misfires too. Remember, it is difficult to prove motivation or origin or logic in a cyber attack. Isn't it fun, boys?

In a working state, the power to punish by act seen as criminal is exerted by the police and the courts. If "the strong" can "retaliate" against the weak, the we call that anarchy.

If Amazon want they can take offline everybody who is hosting wikileaks and every imageboard which used the word "anonymous" on the planet by dedicating 10% of their computational/network power to "retaliate". If google would like to "retaliate" against somebody, they could take a medium-sized country offline and render it inopera

The analogy goes like this. I was being attacked so I whacked him to may him stop. The corporate equivalent is, My network and computer systems were being attacked to whacked the attacker to make him stop.

You are more likely to die as a result of a gun if you carry one yourself [newscientist.com]. I can't find the study, but you are also more likely to end up being shot by your own gun than you are to ever shoot a bad guy with it (which makes sense - we hear of accidental self shootings all the time and most people who own a gun never actually use it in self defence).

If those statistics even roughly translated to IP address seeking missiles then we are going to have a problem.

While the game theory behind spite(hurting others even at a cost to oneself, the under-appreciated counterpart to altruism, helping others even at a cost to oneself) is interesting, and suggests that it can actually be vital in maintaining some mutually beneficial equilibria, all that breaks down if the assumption that retailiation can be accurately allocated is violated. It also breaks down if the assumption that all agents are indivisible is violated.

If I am hitting you through a botnet of compromised home users that I am renting from some botnet herder, do I fear your retaliation? Only if I think you are good enough to allocate it to me, despite multiple levels of indirection, and essentially innocent targets standing in your way.

Crippling the bots might achieve my immediate goal: bringing an end to your attack. If you are firing stolen missiles at me am I wrong to shoot them down?

If I am firing hijacked passenger airliners at you, are the criminal homicide charges and the civil wrongful death suits that you would accrue by shooting them down worth it?

That's the problem: there is basically no such thing as a pure weapon on the internet. Most "stolen missiles" are simultaneously poorly secured home or business computers that have never left the ownership(and, in general, since the botnet guys don't want their hosts getting wiped) are still being actively used by their owners for wh

There are no airliners and no passengers and no deaths: just the temporary shutting down of some pcs. The owners of those pcs may not know that they are being used to attack you, but they still are. I think a case can be made for your right to disable a weapon in the hand of your attacker even if it is not the attacker's property.

Another strained analogy. An enemy of yours is able to trick you neighbor's fancy automated lawn sprinkler into hosing down the front door of your business, driving off your cus